Security Blanket

Public Key Infrastructure unlocks e-government potential.

Nearly everyone recognizes the Internets vast potential to remake government. Since the dawn of the Web, public officials have promoted the notion that online transactions between agencies and their constituents and business partners will spark huge gains in government efficiency and user-friendliness.

But moving face-to-face dealings into the virtual world comes with its share of challenges, not the least of which are verifying the identity of those involved in the transaction and shielding the entire matter from prying eyes. A growing number of states are turning to digital signature technology to solve these challenges and equip themselves to conduct some of governments most sensitive transactions electronically.

"There are a lot of states taking a look at PKI and deciding what to do now that Y2K is over," said Karen West, director of government services for Digital Signature Trust Co. (DST), a subsidiary of Zions First National Bank. The firm is working with Washington, Utah and other jurisdictions to create digital signature systems.

Washington and Illinois are among the first to roll out statewide implementations of public key infrastructure (PKI) technology that allow citizens, businesses and others to securely deal with government agencies over the Web. Both states began issuing digital identity certificates earlier this year. Unlike single-department solutions, these systems are meant to give citizens one digital signature to use in online dealings with any state or local government department and, particularly in the case of Washington, even private transactions.

PKI activity also appears to be picking up elsewhere across the nation. Utah is developing a similar system under a digital signature contract awarded last year. And other states, including Iowa and Virginia, reportedly are preparing RFPs for PKI systems.

Different Paths

Although Washington and Illinois agree that statewide digital signature systems promise to advance electronic government, they have taken somewhat different paths toward creating those systems. Under a master contract signed last year, DST acts as Washingtons certificate authority, verifying the identity of digital signature applicants, issuing digital certificates that serve as users online IDs and accepting liability for transactions based on those IDs. By contrast, Illinois operates its own certificate authority within the states data center.

Having a third party issue Washingtons digital certificates offers several benefits, said state CIO Steve Kolodney, including acceptance of the electronic signatures for a broad range of e-commerce activities.

"We decided on a third-party issuer because we wanted these signatures to be used in transactions with state government, but we also wanted to give our citizens the ability to use that same signature for other transactions of similar consequence, whether it be with federal government, other state governments or business," Kolodney said. "If we issued the certificates ourselves against a policy that wasnt rigorous enough to support these other uses, they wouldnt be acceptable to the federal government or in business-to-business transactions."

DSTs willingness to stand behind the accuracy of its digital identities was another key factor, he added. "As a state government, we did not want to take on that liability, but we wanted it to exist. We want the relying party to feel trust in the use of that certificate. Trust comes from a third party that says, We are sure enough about what we are doing to assume the liability and support of the transaction."

On the other hand, Illinois policymakers decided that issuing digital identifications was a natural extension of tasks already handled by state government. Illinois has invested approximately $2.5 million in computer hardware and PKI software to issue, store and manage digital identities for its residents. The system is run by the state Department of Central Management Services and uses PKI software from Entrust Technologies.

"If you think about how we distribute Social Security numbers or drivers license numbers or how we distribute identifiers for public aid, we felt that it was a role of government to be the identifier of a digital certificate and digital signature," said Illinois Chief Technology Officer Mary Barber Reynolds.

Internal operation of the certificate authority also ensures reliable storage of digital identities and eliminates worries about the long-term financial health of third-party PKI providers, according to Brent Crossland, the states deputy chief information officer.

"What do you do if your ASP goes bankrupt?" asked Crossland. "That was in the back of our minds all along, quite honestly."

Some differences between the Washington and Illinois PKI operations also are a matter of scope. Washington foresees its digital certificates being used to facilitate nearly any electronic transaction -- citizen to government, business to government, business to business or citizen to citizen.

At least initially, Illinois is taking a narrower approach, targeting dealings with state and local government. However, Crossland said use of state-issued digital signatures could migrate over time to commercial dealings, either through formal agreements or informally, much as drivers licenses evolved into a common method for verifying identity in the physical world.

"Were not ready to get there. There are a lot of liability issues, and there are a lot of questions to be answered," he said. "But if you look in the crystal ball, thats probably where things are headed."

Do the Math

Regardless of whether the certificate authority is outsourced or operated internally, the technology behind PKI systems is essentially the same. The certificate authority uses cryptography software to generate a pair of very large mathematically related prime numbers. One number is given to the user and designated the private key. The other -- the public key -- is stored in a directory by the certificate authority and is usually made widely available.

User IDs are issued in the form of an electronic certificate which, in addition to containing the private key, includes information about who the certificate belongs to, who issued the certificate and when the certificate expires. Certificates can be stored in a users Web browser or in a piece of hardware, such as a smart card or tiny plug-in USB device.

To complete a secure transaction, the user encrypts data with the private key, and the recipient unscrambles the message with the public key. The process provides a positive identity because only the unique key pair can encode and decode the message. In other words, if the public key unscrambles the message, the data must have come from the holder of the private key. The process also works in reverse, allowing someone with the public key to send a message that can only be read by someone with the matching private key.

Although the public and private keys are mathematically related, their length prevents someone from using one to figure out the other, said DSTs West. For instance, Washingtons PKI system uses numbers that are 1,024 characters long. "It will be a very long time before thats cracked," West said. "We will have moved and upgraded everyone to longer key lengths well before anyone even approaches breaking the code on these."

To ensure that data remains unaltered during transmission, the information is passed through whats known as a hashing algorithm, which creates a mathematical representation of the message. That representation is encrypted with the users private key and sent along with the message. At the other end, the recipient decrypts the message and runs it through the same hashing algorithm. If the hash file created by the recipient matches the hash file created by the sender, the data is unchanged.

Choose Your Security

Washington issues three levels of digital identification, offering standard, intermediate and high levels of security. By early March, the state had distributed several hundred identification certificates, generally of the high-security variety. Differences among the security levels lie in how applicants are authenticated and how the digital signature is stored, according to Kolodney.

At the high-security level, applicants must appear before a notary with two pieces of photo identification. The notary then submits the information to the certification authority. The authority verifies the application and assigns the applicant a digital identification, which is stored either in a smart card or a device called a key fob that plugs into the USB port on a users PC. In addition, applicants are given a pass phrase or an identification number.

Initiating a secure transaction requires both the hardware device containing the digital ID and the pass phrase or number. "We like to say that you have to have something and you have to know something," Kolodney said. "That is a security matter, because to lose [the digital identity] you have to lose the physical device and the pass phrase at the same time."

Initial users of Washingtons high-security certificates include lawyers seeking confidential client records and health-care professionals seeking communicable disease data, said Kolodney. In addition, the states public retirement system envisions using the certificates to allow members to change addresses, job status and other information electronically.

At the standard-security level, users apply for the digital certificates online. The identifications are issued with minimal verification and loaded directly into a users Web browser.

"Theres really no security associated with it other than youve asked for it and gotten it. So it represents you to that extent," Kolodney said. He expects standard certificates to replace state-issued passwords used for electronic tax filing applications and other common transactions.

Washingtons intermediate-level certificates fill the gap between the two extremes. Like the high-security signature, intermediate IDs require storage of the certificate in a smart card or key fob. But they dont require a notarized application.

Users pay an annual fee for their certificate based on its security level. Standard certificates cost less than $20 per year. High-security certificates cost about twice that amount, plus a one-time fee for the smart card or key fob hardware. Standard certificates carry a liability limit of $1,000 per transaction. The limit for intermediate certificates is $10,000, and high-security certificates may be used for transactions valued as high as $50,000.

Cautious Start

Illinois currently issues a single high-security certificate. The state expects to expand the certificate options later on, but its keeping the initial roll out simple to avoid confusion and to develop the processes needed for a wider implementation, said Reynolds.

So far, Illinois is giving certificates to users it can readily and positively identify, such as Medicaid providers that regularly deal with state health agencies. But while face-to-face identification of trusted business partners works on a small-scale basis, Illinois officials acknowledge that meeting the governors goal of issuing digital IDs to as many as 1 million citizens and businesses over the next 18 months demands a different approach.

"These are people who come to us multiple times in a year, and they come to us in a known context," said Crossland. "Down the road, weve got to figure out how to register John Q. Citizen who just pops up on the Web and says, I want a certificate. And thats a little more complicated."

Ultimately, Illinois expects to develop a suite of certificates covering multiple security levels and create online application processes for at least some of them.

"Were working our way through these various applications and talking about the levels of certificates we might want to have. Weve looked at four levels and weve looked at five," said Crossland. "If you go with the five-level model, youre going through a state-police vetting process at the highest level. But theres a use for that in state government."

Illinois system passed its final testing in January and since then has issued a handful of digital certificates, said Reynolds. The state did, however, issue a number of certificates through the system before it reached full production for use in various pilot projects. Eventually, state IT officials expect as many as half of Illinois citizens -- or about 6 million people -- to seek a digital identity.

Unlike Washington, Illinois will provide digital certificates to citizens and businesses at no cost. Crossland said the move eliminates squabbles over who pays for the IDs.

"We just put the money in the budget and appropriated it. So we dont talk about [cost] anymore," he said. "Its always nice to take at least one issue off the table."

The Hard Part

Although PKI involves sophisticated cryptography, those involved in developing these systems say implementing the technology is easy compared with creating the regulatory and procedural framework to support it. In other words, they argue that digital identities and signatures are only as good as the rules behind them.

"Its not just the technology of the encryption or the signature, its the policy and practice that creates trust. And this is all about trust," said Kolodney.

"This is not a face-to-face transaction, this is a transaction over distance. So you have to substitute the inherent trust two people who know each other might have with some other kind of trust that is based on policy," he said. "That is a critically important element, and it takes months and months and months to work out."

In fact, Washingtons effort took several years, according to Kolodney. Besides passing legislation to make digital signatures a legal substitute for written signatures, the state developed 150 pages of policy that lays the ground rules for conducting PKI transactions. Among other things, the policies spell out how to identify citizens who apply for digital signatures, liability limits for digital transactions and the responsibilities of digital certificate issuers and recipients.

Similarly, Illinois poured significant resources into developing policies for its PKI system, said Reynolds. "We do want to make sure if were interacting electronically with somebody to renew their drivers license, for example, that they are who they say they are and that they are legally bound by that digital signature just as they would be by a written signature," she said.

Both states add that their certificate policies comply with standards developed by the federal government, facilitating electronic transactions between state and federal agencies. "All of these policy pieces are, by extension, part of the certificate," said Kolodney. "So just issuing the key doesnt get you very far."

Iowa CIO Richard Varn, whose office is preparing an RFP for a statewide PKI system, said the accuracy of existing government identification methods also plays a key role in the trustworthiness of digital identity systems. He noted that digital authentications largely will be based on traditional government identification systems -- those tracking births, deaths, marriage, drivers licenses and other vital statistics.

"We have to coordinate those systems first to make sure they have some relationship with each other," said Varn. He added that Iowa would consider using additional identification methods such as fingerprints and other biometric indicators.

Regardless of the identity data used, Iowa intends to approach the issue gingerly. Varn said citizens would decide how much private information they are willing to give up based on the types of electronic transactions they wish to conduct with the state.

"If you are forcing people to submit personal information like fingerprints for all purposes, for all times, then youve got a privacy debate," he said. "But if you are letting people say, I want to conduct business this way and I want this amount of protection to prove that its me, then youre giving people choices."

Thus far, Iowa is undecided on the issue of outsourcing its PKI or running the system internally. According to Varn, the state will review RFP responses before making its choice. Either way its a business decision that carries a certain amount of risk.

"How do you know that two years from now a digital certificate, with full-blown trust, will not be something your bank offers you as part of its package of services?" said Varn. "We could end up paying for something that would become free to people later, just like we have seen with e-mail and other services."

Still, a growing number of state CIOs are betting that PKI technology holds the key to moving a vast number of government transactions to the Web.

"If you are going to reduce cost, youre going to have to do [electronic] transactions end to end, and theyre going to involve money and theyre going to have to be secure," said Kolodney. "It comes back to trust. How are you going to create a trustworthy relationship in an inherently untrustworthy environment? We think this is a way to do it."

Steve Towns is the former editor of Government Technology, and former executive editor for e.Republic Inc., publisher of GOVERNING, Government Technology, Public CIO and Emergency Management magazines. He has more than 20 years of writing and editing experience at newspapers and magazines, including more than 15 years of covering technology in the state and local government market. Steve now serves as the Deputy Chief Content Officer for e.Republic.

DISCUSS

We invite you to discuss and comment on this article using social media.